From 4d66c14fd544bc6fbd56060fdb13265177761b99 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Sun, 14 Jan 2024 10:40:46 +0200
Subject: [PATCH] Add support for the internal Traefik entrypoint to Conduit

---
 group_vars/matrix_servers                     |  3 +
 roles/custom/matrix-conduit/defaults/main.yml |  8 +++
 .../matrix-conduit/tasks/validate_config.yml  |  1 +
 .../custom/matrix-conduit/templates/labels.j2 | 59 +++++++++++++------
 4 files changed, 52 insertions(+), 19 deletions(-)

diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
index 0b0fdc2cd..df8d4496e 100755
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -4995,6 +4995,9 @@ matrix_conduit_container_labels_public_client_root_redirection_url: "{{ (('https
 
 matrix_conduit_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint }}"
 
+matrix_conduit_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
+matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
+
 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
 #
diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml
index 15421dec1..9852f9ba9 100644
--- a/roles/custom/matrix-conduit/defaults/main.yml
+++ b/roles/custom/matrix-conduit/defaults/main.yml
@@ -70,6 +70,14 @@ matrix_conduit_container_labels_public_client_api_traefik_entrypoints: "{{ matri
 matrix_conduit_container_labels_public_client_api_traefik_tls: "{{ matrix_conduit_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
 matrix_conduit_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_conduit_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
+# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
+# This is similar to `matrix_conduit_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
+matrix_conduit_container_labels_internal_client_api_enabled: false
+matrix_conduit_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_conduit_container_labels_public_client_api_traefik_path_prefix }}"
+matrix_conduit_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_conduit_container_labels_internal_client_api_traefik_path_prefix }}`)"
+matrix_conduit_container_labels_internal_client_api_traefik_priority: "{{ matrix_conduit_container_labels_public_client_api_traefik_priority }}"
+matrix_conduit_container_labels_internal_client_api_traefik_entrypoints: ""
+
 # Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint.
 matrix_conduit_container_labels_public_federation_api_enabled: "{{ matrix_conduit_allow_federation }}"
 matrix_conduit_container_labels_public_federation_api_traefik_hostname: "{{ matrix_conduit_hostname }}"
diff --git a/roles/custom/matrix-conduit/tasks/validate_config.yml b/roles/custom/matrix-conduit/tasks/validate_config.yml
index cc2973647..7d643c654 100644
--- a/roles/custom/matrix-conduit/tasks/validate_config.yml
+++ b/roles/custom/matrix-conduit/tasks/validate_config.yml
@@ -8,3 +8,4 @@
   with_items:
     - {'name': 'matrix_conduit_hostname', when: true}
     - {'name': 'matrix_conduit_container_network', when: true}
+    - {'name': 'matrix_conduit_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_conduit_container_labels_internal_client_api_enabled }}"}
diff --git a/roles/custom/matrix-conduit/templates/labels.j2 b/roles/custom/matrix-conduit/templates/labels.j2
index 7081344a5..89a9cda96 100644
--- a/roles/custom/matrix-conduit/templates/labels.j2
+++ b/roles/custom/matrix-conduit/templates/labels.j2
@@ -21,20 +21,20 @@ traefik.http.middlewares.matrix-conduit-client-root-redirect.redirectregex.regex
 traefik.http.middlewares.matrix-conduit-client-root-redirect.redirectregex.replacement={{ matrix_conduit_container_labels_public_client_root_redirection_url }}
 {% endif %}
 
-traefik.http.routers.matrix-conduit-client-root.rule={{ matrix_conduit_container_labels_public_client_root_traefik_rule }}
+traefik.http.routers.matrix-conduit-public-client-root.rule={{ matrix_conduit_container_labels_public_client_root_traefik_rule }}
 
-traefik.http.routers.matrix-conduit-client-root.middlewares={{ client_root_middlewares | join(',') }}
+traefik.http.routers.matrix-conduit-public-client-root.middlewares={{ client_root_middlewares | join(',') }}
 
 {% if matrix_conduit_container_labels_public_client_root_traefik_priority | int > 0 %}
-traefik.http.routers.matrix-conduit-client-root.priority={{ matrix_conduit_container_labels_public_client_root_traefik_priority }}
+traefik.http.routers.matrix-conduit-public-client-root.priority={{ matrix_conduit_container_labels_public_client_root_traefik_priority }}
 {% endif %}
 
-traefik.http.routers.matrix-conduit-client-root.service=matrix-conduit
-traefik.http.routers.matrix-conduit-client-root.entrypoints={{ matrix_conduit_container_labels_public_client_root_traefik_entrypoints }}
-traefik.http.routers.matrix-conduit-client-root.tls={{ matrix_conduit_container_labels_public_client_root_traefik_tls | to_json }}
+traefik.http.routers.matrix-conduit-public-client-root.service=matrix-conduit
+traefik.http.routers.matrix-conduit-public-client-root.entrypoints={{ matrix_conduit_container_labels_public_client_root_traefik_entrypoints }}
+traefik.http.routers.matrix-conduit-public-client-root.tls={{ matrix_conduit_container_labels_public_client_root_traefik_tls | to_json }}
 
 {% if matrix_conduit_container_labels_public_client_root_traefik_tls %}
-traefik.http.routers.matrix-conduit-client-root.tls.certResolver={{ matrix_conduit_container_labels_public_client_root_traefik_tls_certResolver }}
+traefik.http.routers.matrix-conduit-public-client-root.tls.certResolver={{ matrix_conduit_container_labels_public_client_root_traefik_tls_certResolver }}
 {% endif %}
 
 {% endif %}
@@ -48,18 +48,18 @@ traefik.http.routers.matrix-conduit-client-root.tls.certResolver={{ matrix_condu
 #}
 {% if matrix_conduit_container_labels_public_client_api_enabled %}
 
-traefik.http.routers.matrix-conduit-client-api.rule={{ matrix_conduit_container_labels_public_client_api_traefik_rule }}
+traefik.http.routers.matrix-conduit-public-client-api.rule={{ matrix_conduit_container_labels_public_client_api_traefik_rule }}
 
 {% if matrix_conduit_container_labels_public_client_api_traefik_priority | int > 0 %}
-traefik.http.routers.matrix-conduit-client-api.priority={{ matrix_conduit_container_labels_public_client_api_traefik_priority }}
+traefik.http.routers.matrix-conduit-public-client-api.priority={{ matrix_conduit_container_labels_public_client_api_traefik_priority }}
 {% endif %}
 
-traefik.http.routers.matrix-conduit-client-api.service=matrix-conduit
-traefik.http.routers.matrix-conduit-client-api.entrypoints={{ matrix_conduit_container_labels_public_client_api_traefik_entrypoints }}
-traefik.http.routers.matrix-conduit-client-api.tls={{ matrix_conduit_container_labels_public_client_api_traefik_tls | to_json }}
+traefik.http.routers.matrix-conduit-public-client-api.service=matrix-conduit
+traefik.http.routers.matrix-conduit-public-client-api.entrypoints={{ matrix_conduit_container_labels_public_client_api_traefik_entrypoints }}
 
+traefik.http.routers.matrix-conduit-public-client-api.tls={{ matrix_conduit_container_labels_public_client_api_traefik_tls | to_json }}
 {% if matrix_conduit_container_labels_public_client_api_traefik_tls %}
-traefik.http.routers.matrix-conduit-client-api.tls.certResolver={{ matrix_conduit_container_labels_public_client_api_traefik_tls_certResolver }}
+traefik.http.routers.matrix-conduit-public-client-api.tls.certResolver={{ matrix_conduit_container_labels_public_client_api_traefik_tls_certResolver }}
 {% endif %}
 
 {% endif %}
@@ -68,23 +68,44 @@ traefik.http.routers.matrix-conduit-client-api.tls.certResolver={{ matrix_condui
 #}
 
 
+{#
+	Internal Client-API (/_matrix)
+#}
+{% if matrix_conduit_container_labels_internal_client_api_enabled %}
+
+traefik.http.routers.matrix-conduit-public-client-api.rule={{ matrix_conduit_container_labels_internal_client_api_traefik_rule }}
+
+{% if matrix_conduit_container_labels_internal_client_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-conduit-public-client-api.priority={{ matrix_conduit_container_labels_internal_client_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-conduit-public-client-api.service=matrix-conduit
+traefik.http.routers.matrix-conduit-public-client-api.entrypoints={{ matrix_conduit_container_labels_internal_client_api_traefik_entrypoints }}
+{% endif %}
+
+{% endif %}
+{#
+	/Internal Client-API (/_matrix)
+#}
+
+
 {#
 	Public Federation-API (/_matrix)
 #}
 {% if matrix_conduit_container_labels_public_federation_api_enabled %}
 
-traefik.http.routers.matrix-conduit-federation-api.rule={{ matrix_conduit_container_labels_public_federation_api_traefik_rule }}
+traefik.http.routers.matrix-conduit-public-federation-api.rule={{ matrix_conduit_container_labels_public_federation_api_traefik_rule }}
 
 {% if matrix_conduit_container_labels_public_federation_api_traefik_priority | int > 0 %}
-traefik.http.routers.matrix-conduit-federation-api.priority={{ matrix_conduit_container_labels_public_federation_api_traefik_priority }}
+traefik.http.routers.matrix-conduit-public-federation-api.priority={{ matrix_conduit_container_labels_public_federation_api_traefik_priority }}
 {% endif %}
 
-traefik.http.routers.matrix-conduit-federation-api.service=matrix-conduit
-traefik.http.routers.matrix-conduit-federation-api.entrypoints={{ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints }}
-traefik.http.routers.matrix-conduit-federation-api.tls={{ matrix_conduit_container_labels_public_federation_api_traefik_tls | to_json }}
+traefik.http.routers.matrix-conduit-public-federation-api.service=matrix-conduit
+traefik.http.routers.matrix-conduit-public-federation-api.entrypoints={{ matrix_conduit_container_labels_public_federation_api_traefik_entrypoints }}
 
+traefik.http.routers.matrix-conduit-public-federation-api.tls={{ matrix_conduit_container_labels_public_federation_api_traefik_tls | to_json }}
 {% if matrix_conduit_container_labels_public_federation_api_traefik_tls %}
-traefik.http.routers.matrix-conduit-federation-api.tls.certResolver={{ matrix_conduit_container_labels_public_federation_api_traefik_tls_certResolver }}
+traefik.http.routers.matrix-conduit-public-federation-api.tls.certResolver={{ matrix_conduit_container_labels_public_federation_api_traefik_tls_certResolver }}
 {% endif %}
 
 {% endif %}